DNS Spoofing/PinningHello
I read the article written by Martin Johns.
http://shampoo.antville.org/stories/1451301/
It was very interesting for me, and I made an online demonstration.
http://www.jumperz.net/index.php?i=2&a=1&b=7
Changing DNS record ( IP address of the attackers host ) to a private address, and
stealing information from Intranets. Please try this.
( Please don't send sensitive informations :)
By the way, DNS issue is very compricated.
If the web browser caches DNS record forever, there will be a problem about dynamic DNS.
( a scenario written at https://bugzilla.mozilla.org/show_bug.cgi?id=162871#c10 )
And if the web browser updates DNS record, attack like Martin's article( and my demonstration ) will become possible.
What do you think?
IMHO, it is a vulnerability of DNS protocol itself, not of web browsers.
Thanks.http://sla.ckers.org/forum/read.php?6,4511,4511#msg-4511
Tue, 31 Mar 2015 17:04:16 -0500Phorum 5.2.15ahttp://sla.ckers.org/forum/read.php?6,4511,14526#msg-14526Re: DNS Spoofing/Pinninghttp://sla.ckers.org/forum/read.php?6,4511,14526#msg-14526
But I don't think so. The malicious code on the browser can communicate with the attackers another host using cross domain access technique like JSONP, FLASH with valid crossdomain.xml ( or policy-server ).

So we don't need Multi-Pin. Single-pin ( to the target host ) is enough.]]>KanatokoNetworkingFri, 10 Aug 2007 09:43:10 -0500http://sla.ckers.org/forum/read.php?6,4511,14500#msg-14500Re: DNS Spoofing/Pinninghttp://sla.ckers.org/forum/read.php?6,4511,14500#msg-14500
>That paper has been posted here by christ1an some days ago

I didn't know that. thanks.
In that paper, my web site is called as "black-hat community". lol

>FYI, I'm currently implementing its "same subnet" anti-rebinding
> policy (both in IPV4 and IPV6) as a new NoScript feature that I call "DNS Nailing".

Wow, you are Mr.NoScript! Great.
I have used NoScript for months and it really works well. Thanks.
I'll buy you a drink when you come to Tokyo :)]]>KanatokoNetworkingThu, 09 Aug 2007 10:31:10 -0500http://sla.ckers.org/forum/read.php?6,4511,14490#msg-14490Re: DNS Spoofing/Pinninghttp://sla.ckers.org/forum/read.php?6,4511,14490#msg-14490
FYI, I'm currently implementing its "same subnet" anti-rebinding policy (both in IPV4 and IPV6) as a new NoScript feature that I call "DNS Nailing".]]>ma1NetworkingThu, 09 Aug 2007 06:28:58 -0500http://sla.ckers.org/forum/read.php?6,4511,14489#msg-14489Re: DNS Spoofing/Pinninghttp://sla.ckers.org/forum/read.php?6,4511,14489#msg-14489
I like this term because it represents the issue correctly.

And, just FYI
"Protecting Browsers from DNS Rebinding Attacks" by Stanford University
http://crypto.stanford.edu/dns/]]>KanatokoNetworkingThu, 09 Aug 2007 05:32:35 -0500http://sla.ckers.org/forum/read.php?6,4511,13978#msg-13978Re: DNS Spoofing/Pinninghttp://sla.ckers.org/forum/read.php?6,4511,13978#msg-13978
Following the news the other day that IE doesn't actively implement DNS-Pinning; it seems Firefox (2.0.0.4) DNS pinning is either non-existent or somewhat strange too.

Take a look and let me know what you think http://getahead.org/blog/mark .

Do you mean the source code of the FLASH file?
If so, it has been here. http://www.jumperz.net/exploits/aflash.mxml.txt
I have updated my demo and now it is faster than the old version as you say in your blog, but the FLASH file is not changed.
I just remove the JavaScript part.

I thought that FLASH will pin the DNS cache so we need to use the
"classical" way ( shutting down the web server, using the closed port, using the firewall etc) same as JavaScript.

But FLASH does the name resolution by itself, not depend on the web
browsers ( maybe but depend on the OS ).
I mean, there is no relationship between FLASH and the web browsers on
the DNS cache and the name resolution.
The web browsers( IE, Firefox and Opera ) pin the DNS cache.
FLASH does not pins the DNS cache on the other hand.

FLASH discards the old DNS cache after the TTL has passed.
We don't need to use any techniques to make FLASH refresh the DNS cache.
We just need to wait.

So attacking FLASH is very easy.

I noticed this thing and updated my demohttp://www.jumperz.net/index.php?i=2&a=1&b=8.
The source code of the demo becomes very simple now ( because there is no
need to use the closed port ).

It may be inappropriate that I named this article as "Anti-DNS Pinning + Socket in FLASH" because there is no DNS Pinning ... :p

How should we name this attack vector( breaking the same origin policy based on the hostname, by changing the DNS )?]]>KanatokoNetworkingThu, 01 Feb 2007 12:54:57 -0600http://sla.ckers.org/forum/read.php?6,4511,5361#msg-5361Re: DNS Spoofing/Pinninghttp://sla.ckers.org/forum/read.php?6,4511,5361#msg-5361
rsnakeNetworkingTue, 16 Jan 2007 17:57:24 -0600http://sla.ckers.org/forum/read.php?6,4511,5337#msg-5337Re: DNS Spoofing/Pinninghttp://sla.ckers.org/forum/read.php?6,4511,5337#msg-5337
Application, when it is requested, checks for special cookie. If the cookie is absent, it is set with the explicit domain parameter and the browser is redirected to the app. again with additional parameter which is a hash of that cookie. If the cookie was not set successfully or is wrong, then DNS was spoofed.]]>bubenrazumaNetworkingTue, 16 Jan 2007 03:59:17 -0600http://sla.ckers.org/forum/read.php?6,4511,5336#msg-5336Re: DNS Spoofing/Pinninghttp://sla.ckers.org/forum/read.php?6,4511,5336#msg-5336
bubenrazumaNetworkingTue, 16 Jan 2007 03:39:28 -0600http://sla.ckers.org/forum/read.php?6,4511,5169#msg-5169Re: DNS Spoofing/Pinninghttp://sla.ckers.org/forum/read.php?6,4511,5169#msg-5169
http://www.jumperz.net/exploits/aflash.mxml.txthttp://www.jumperz.net/exploits/aflash.mxml.txt]]>KanatokoNetworkingFri, 12 Jan 2007 14:15:58 -0600http://sla.ckers.org/forum/read.php?6,4511,5166#msg-5166Re: DNS Spoofing/Pinninghttp://sla.ckers.org/forum/read.php?6,4511,5166#msg-5166
rsnakeNetworkingFri, 12 Jan 2007 13:48:03 -0600http://sla.ckers.org/forum/read.php?6,4511,5091#msg-5091Re: DNS Spoofing/Pinninghttp://sla.ckers.org/forum/read.php?6,4511,5091#msg-5091
http://www.jumperz.net/index.php?i=2&a=3&b=3
This is about Anti-DNS Pinning + Socket in FLASH.

--
Step1: wait to the DNS record ( already in the browser cache ) to expire.
Step2: make the browser access to a closed port.
--

::About Step1::
On IE and Opera, the time needed is same as the TTL value of the DNS record.
So this value can be very short.
I use 8 seconds in my demo.

On Firefox, the time needed is about 120 seconds at short.
This value ( 120 ) is regardless of the TTL value in the DNS record.
So we need to wait relatively long, to attack Firefox.

::About Step2::
There is no need to repeat this step multiple times.
Once is enough, on all browsers.
(kuza55 was right)]]>KanatokoNetworkingWed, 10 Jan 2007 23:25:44 -0600http://sla.ckers.org/forum/read.php?6,4511,4581#msg-4581Re: DNS Spoofing/Pinninghttp://sla.ckers.org/forum/read.php?6,4511,4581#msg-4581
You are right. I have tested with connectiong to port 81 only one time, and the demo works. Thanks. I'll have more tests.

jungsonn

Sorry, I meant 'JavaScript' not 'JSP(Java)'.]]>KanatokoNetworkingFri, 29 Dec 2006 12:34:07 -0600http://sla.ckers.org/forum/read.php?6,4511,4570#msg-4570Re: DNS Spoofing/Pinninghttp://sla.ckers.org/forum/read.php?6,4511,4570#msg-4570
rsnakeNetworkingFri, 29 Dec 2006 10:17:30 -0600http://sla.ckers.org/forum/read.php?6,4511,4563#msg-4563Re: DNS Spoofing/Pinninghttp://sla.ckers.org/forum/read.php?6,4511,4563#msg-4563
At the moment i'm hacking a fresh copy of FireFox 2 to roll my own browser with a lot of modifications, and there is alot to be done: remove caching, no history, no password saver, strip the anti phishing filter, all phone home objects to mozilla, google, standard no-script & tor build in, stripping toolbars and more features. And i also plan to build a signal to noise function in it, which runs a low process in the background imitating a causual surfer while i'm browsing myself or when i'm idle. (this to prevent traffic analysis), which is the next big thing when everything is encrypted, It's very hard to protect your self from traffic analysis. Packets can be tunneled/encrypted, but remains vulnerable to traffic analysis. If packet A is this size encrypted, it should be this size unencrypted. If packet B is this size as a request, and the response packet C is this size from a website. I can calculate what the site is you are visiting, dispite tunneling. which can be analysed by looking at the packetsizes. So signal to noise could solve that.

btw kanatoko: where do you have the source? I can't find it on your site.]]>jungsonnNetworkingFri, 29 Dec 2006 05:30:56 -0600http://sla.ckers.org/forum/read.php?6,4511,4557#msg-4557Re: DNS Spoofing/Pinninghttp://sla.ckers.org/forum/read.php?6,4511,4557#msg-4557
rsnakeNetworkingThu, 28 Dec 2006 22:32:28 -0600http://sla.ckers.org/forum/read.php?6,4511,4549#msg-4549Re: DNS Spoofing/Pinninghttp://sla.ckers.org/forum/read.php?6,4511,4549#msg-4549
-------------------------------------------------------
> That's really interesting, Kuza55, thanks for
> sending the link... But if you had a PHP include
> vuln on that site, I'd be way more worried about
> other things like using it as a shell or as a
> robot or whatever...

Oh of course, and if you had a php include vuln ina a site you would be able to do whatever you wanted, this is more for attacking sites on shared hosting. Either because you can get an account on the machine, or you found an include vuln in a site on the smae box.]]>kuza55NetworkingThu, 28 Dec 2006 18:22:20 -0600http://sla.ckers.org/forum/read.php?6,4511,4545#msg-4545Re: DNS Spoofing/Pinninghttp://sla.ckers.org/forum/read.php?6,4511,4545#msg-4545
rsnakeNetworkingThu, 28 Dec 2006 17:51:56 -0600http://sla.ckers.org/forum/read.php?6,4511,4541#msg-4541Re: DNS Spoofing/Pinninghttp://sla.ckers.org/forum/read.php?6,4511,4541#msg-4541
rsnake Wrote:
-------------------------------------------------------
> Cross domain policies doesn't apply to
> ports. Poof. Great find!

Speaking of cross domain policies not applying to ports, you've probably already seen this, but just in case you haven't, this is another ineteresting way of exploiting the fact that cross domain policies disregard ports: http://blog.php-security.org/archives/62-Cross-Virtual-Host-Cookie-Theft.html]]>kuza55NetworkingThu, 28 Dec 2006 17:00:26 -0600http://sla.ckers.org/forum/read.php?6,4511,4539#msg-4539Re: DNS Spoofing/Pinninghttp://sla.ckers.org/forum/read.php?6,4511,4539#msg-4539
Technical details of the demo.
#I'm very sorry for my poor English
( I wrote URLs as 'htp://', not 'http://' to avoid auto link )

2. The form executed, the browser jumps to htp://www.jumperz.net/exploits/dnsp2.jsp, with a parameter 'address=192.168.0.1'.

3. An unique string is generated ( actually a time, milliseconds like '1166986089765' ).
This string will be used as a 'one time subdomain'.
A DNS record is added to the configuration file of djbdns( http://cr.yp.to/djbdns.html ).

In this case, the line added to the configuration file will be '=1166986089765.jumperz.net:218.45.25.195:8'.
This line means:
hostname = 1166986089765.jumperz.net
ip address = 218.45.25.195
ttl = 8 seconds

4. A system command that makes djbdns reload the configuration file is executed.

5. The HTTP response is sent to the browser. This response looks like this:
---
HTTP/1.1 302 found
Location: htp://1166986089765.jumperz.net/exploits/dnsp3.jsp?address=192.168.0.1

---

6. The browser redirected to 'htp://1166986089765.jumperz.net/exploits/dnsp3.jsp?address=192.168.0.1'.
At this time, 1166986089765.jumperz.net is binded to 218.45.25.195( attackers web server ), So the browser access to 218.45.25.195.

7. dnsp3.jsp changes the DNS record and makes djbdns reload the configuration file.
In this case, a line in the djbdns configuration file is replaced as:

before:
=1166986089765.jumperz.net:218.45.25.195:8

after:
=1166986089765.jumperz.net:192.168.0.1:600

And the page that contains the malicious script is loaded to the browser.

8. The scripts starts.

9. After sleeping a few seconds, the script makes the browser to access to 'htp://1166986089765.jumperz.net:81/'.
At this time the browser try to access to 218.45.25.195.
Because the port 81 ( of 218.45.25.195 ) is closed, the request fails.
The script repeats this ( trying access to port 81 ) a few times.

10. The browser lookups DNS record.
As described at '7', at this time '1166986089765.jumperz.net' is binded to '192.168.0.1'.

11. The script makes the browser access to 'htp://1166986089765.jumperz.net/'.
The HTTP request is actually sent to 192.168.0.1.
The script can access the content of the HTTP response, because of the 'same origin policy'.
The data is set to the form element and sent to www.jumperz.net.

For more details, please see the sourse code of the dnsp3.jsp.
And if you have questions, please feel free to ask me.